//Due to the limitations of using Vars to generate a CA and certs, ​I've built a custom ​openssl.cnf from the bottom up. ​While one will have the option of using whichever they prefer, utilizing OpenSSL directly via the aforementioned config ​will provide ​a more cohesive experience between the CA and it'​s ​certs, a well as better sercurity.//

* If you choose to do so, <color #​647800>//​network=//</​color><​color #​FF8000>​**vpn0**</​color>​ will need to be updated accordingly in [[:doc:howto:openvpn-streamlined-server-setup#​allow_openvpn_tunnel_utilization|Allow OpenVPN Tunnel Utilization]]

* If you choose to do so, <color #647800>//option dev//</​color> '<​color #​FF8000>​**tun0**</​color>'​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​create_vpn_server_config|Create VPN Server Config]]

- If you choose to do so, ''<​color #​007DC8>​vpn<​/color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​https:​//wiki.openwrt.org/doc/​howto/​openvpn-streamlined-server-setup#​create_rules|Firewall Rules]]\\ \\

- If you choose to do so, ''​<color #647800>//option dev//</​color>​ <color #​007DC8>​tun0</​color>''​ will need to be updated accordingly in [[:​doc:​howto:​openvpn-streamlined-server-setup#​config|VPN Server Config]]\\ \\

* //There have been a few instances where rules input in the above order to <color #​606060>​**/​etc/​config/​firewall**</​color>​ aren't applied in the same order under <color #​606060>​**LuCI - Network - Firewall - Traffic Rules**</​color>​. ​ If this occurs, delete the problem rule(s) from <color #​606060>​**/​etc/​config/​firewall**</​color>​ and add manually via LuCI.//

===== VPN Server =====

===== VPN Server =====

-

=== Add minimum TLS version parameter to openvpn ===

-

* As of now the openvpn-openssl package (2.3.6-5) does not support setting a minimum TLS version (1.2 in this case).

-

* We need to add **tls_version_min** to the append_params section in the file **/​etc/​init.d/​openvpn**

* This specific configuration has been designed to give the best performance possible, via [[https://community.openvpn.net/​openvpn/​wiki/​Gigabit_Networks_Linux|MTU]] and [[http://​winaero.com/​blog/​speed-up-openvpn-and-get-faster-speed-over-its-channel/​|buffer]] tuning recommendations

* NTP is garnished from [[http://tf.nist.gov/tf-cgi/servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice

+

​option ​ tls_auth ​ '/etc/ssl/openvpn/tls-auth.key 0'

-

* NTP should be specified, but doesn't need to be NIST. When dealing with encryption handshakes, time on both the server and the client must be accurate to within milliseconds.

+

​

​

-

​* The <​color ​#606060>//​**CCD directives**//</​color>​ (under <color #​6E6E6E>//​Client Config//</​color>​) are commented out, as you will need to read the [[https://openvpn.net/​index.php/​open-source/​documentation/​howto.html#​policy|OpenVPN HowTo]] to understand what it is and how to use it.

* To add additional servers, simply copy and paste the first config directly below itself, with a blank line separating the two. Customize the second server config, making sure not to forget to change the second <​color ​#647800>//​option ​dev//</​color>​ (under <color #​6E6E6E>//​Protocol//</​color>​) to the correct interface name.

+

#------------------------------------------------

+

option ​ log_append ​ '/tmp/openvpn.log'​

+

​option ​ ​status ​ '/tmp/openvpn-status.log'

+

option ​ verb 4

-

​* <​color ​#C80000>//​**I __strongly encourage__ taking the 45 min or so to read through the OpenVPN HowTO & OpenVPN Man Page, located in the**//</​color>​ **//​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki Links]]//** <color #​C80000>//​**section at the bottom of this Wiki; both provide __every possible option__ for the Server and Client Configs, allowing for a truly customizable VPN solution.**//</​color>​

<wrap right button>​[[https://​play.google.com/​store/​apps/​details?​id=de.blinkt.openvpn&​hl=en|OpenVPN for Android]]</​wrap>​

+

<color #​508CAA>​**Android Client Information**</​color> ​

+

+

<WRAP centeralign><​color #​960000>​**For compatibility with exFAT, Android sdcards have a non-customizable 771 permission structure**\\ It's //​imperative//,​ for the security of the VPN, to ensure the certificate key is encrypted as specified under [[doc:​howto:​openvpn-streamlined-server-setup#client_certs|Client Certs]]</​color></​WRAP>​

+

+

* **//OpenVPN for Android// is the best app for VPNs on Android**\\ \\

+

* **PKCS12 certs are installed into the //Android Keychain//​**

+

* As a security feature, a warning toast will always appear in the notification area due to user installed certs

+

* This toast can be removed if you have a rooted device by following Toast Removal tutorial \\ \\

+

* Another option is to include all certs & keys via inline XML within the client config file

+

* //​Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs//\\ \\

+

* **If you choose to reference the ''//​tlsauth.key//'',​ instead of utilizing inline XML**

+

- <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>

+

# Encryption #

+

#------------------------------------------------

+

key-direction 1

<​tls-auth>​

<​tls-auth>​

-----BEGIN OpenVPN Static key V1-----

-----BEGIN OpenVPN Static key V1-----

-

#---PASTE KEY HERE---#

+

#PASTED-KEY-INLINE-HERE#

-----END OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----

-

</​tls-auth>​

+

</​tls-auth></​code>​

+

- <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>

+

# Encryption #

+

#​------------------------------------------------

+

tls-auth ​ '/​path/​to/​tlsauth.key'​ 1</​code>​

+

* <color #​960000>​**Some Android devices are not able to convert PKCS12 certs to x509 certs**</​color>​

+

* If your device is affected, you will need to reference your individual certs in your Server Config

* In Windows, if the p12 certificate isn't stored in the same directory as the ovpn config file, you will need to reference the path to the p12 cert

+

#​------------------------------------------------

-

* In Windows you must use double backslashes,​ i.e. <​color ​#6E6E6E>//"​C:​\\Program Files\\OpenVPN\\Config\\"//</​color>​

+

float

-

* It is known that Windows 10 under-prioritizes the OpenVPN Client DNS queries, preventing DNS queries to occur over the tunneled OpenVPN server network, and leaking DNS queries to your client'​s local network. ​

+

nobind

-

* Above you will notice a commmented out option "block-outside-dns." OpenVPN Client for windows as of version 2.3.9 provides a fix for this problem with the use of the "block-outside-dns" option. This may also be placed in the server config, and if placed in the server config it will not affect other clients (maybe a warning will pop up?), see https://​community.openvpn.net/​openvpn/​ticket/​605 for more info.

* [[https://play.google.com/​store/​apps/​details?​id=de.blinkt.openvpn&​hl=en|OpenVPN for Android]] is the best app for VPNs on Android

+

key '​/sdcard/openvpn/vpn-client1.key.pem'

-

* There'​s no need to reference a p12 cert as it's installed into the <color #6E6E6E>//Android Keychain//</​color>;​ a security feature will cause a warning toast to always appear in the notification area due to user installed certs.

+

tls-auth ​ '/path/to/tlsauth.key' 1</code>

-

* This warning can be removed if you have a rooted or bootloader unlocked device by following [[http://forum.xda-developers.com/google-nexus-5/​help/​howto-install-custom-cert-network-t2533550|this]] tutorial on XDA Developers. It involves a minor edit and permissions change, ​ transferring the p12 cert from userland to system trusted.

* <color #​C80000>//​If you refuse to help yourself, don't expect someone else to help you//</​color>​

-

* <color #​C80000>//​**The answer to any question one could possibly have about an OpenVPN Client or Server configuration is contained within the [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki Section]], specifically the OpenVPN [[https://​openvpn.net/​index.php/​open-source/​documentation/​howto.html|HowTO]] and [[https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage|Man Pages]]**//</​color>​

-

* <color #​C80000>//​If,​ after reading, one still is unable to find a solution to their issue or question, please post a question in the applicable device or topic thread in the [[https://​forum.openwrt.org/​|OpenWRT Forum]] or [[https://​forums.openvpn.net/​|OpenVPN Forum]]//</​color>​

-

* <color #​C80000>//​**__Please__ do not publish questions directly to this Wiki, as:​**//</​color>​

* <color #​C80000>//​It clutters the Wiki, possibly making it more difficult for others to navigate//</color>

+

<WRAP 76.5em lo>

+

* **//Please take the time to read//**

+

* //If you refuse to help yourself, don't expect someone else to help you//\\ \\

+

* **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki]]// **//or//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​openssl|OpenSSL]]//​ **//​sections//​**

+

* //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWrt]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//\\ \\

+

* <color #​960000>​**//​Please do not publish questions directly to this Wiki, as://​**</​color>​

+

* //Most importantly,​ it's __not__ monitored for questions//

+

* //It clutters the Wiki, possibly making it more difficult for others to navigate//